[FFmpeg-cvslog] smacker: more complete vlc length check, fixes out of array read
Michael Niedermayer
git at videolan.org
Fri Nov 30 16:21:27 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Nov 30 16:00:07 2012 +0100| [2c69fcc2ffe671649e56dc981e9f4cd9d46a61be] | committer: Michael Niedermayer
smacker: more complete vlc length check, fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2c69fcc2ffe671649e56dc981e9f4cd9d46a61be
---
libavcodec/smacker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 095f0d0..e1e67da 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -96,7 +96,7 @@ enum SmkBlockTypes {
*/
static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
{
- if(length > 32) {
+ if(length > 32 || length > 3*SMKTREE_BITS) {
av_log(NULL, AV_LOG_ERROR, "length too long\n");
return AVERROR_INVALIDDATA;
}
More information about the ffmpeg-cvslog
mailing list